Compliance officers may have heard news of the speech Deputy Attorney General Rod Rosenstein gave on Oct. 25, where he touched on corporate compliance programs and the Justice Department’s enforcement against misconduct.
This is the third speech Rosenstein has given in the last six weeks where he touched on corporate compliance programs and misconduct; and also mentioned forthcoming changes to enforcement policy.
So what’s to come? How should corporate ethics and compliance officers anticipate possible changes?
As I’ve said before, compliance officers should take a breath. For changes to your daily routines, responsibilities, and challenges, the most likely answer is “nothing quick, and nothing much.”
First, Rosenstein’s pledge to simplify and clarify enforcement policy is welcome news. Enforcement postures do vary from one jurisdiction to the next, and even from one federal prosecutor to the next. Consistency and clarity will be welcome news to any company under investigation.
But improved relations with federal prosecutors is good news foremost for the legal department, trying to settle specific cases. Compliance officers have broader concerns. Plenty of those concerns have, at best, a fleeting relationship with criminal enforcement.
For example, for most firms today, your most pressing compliance concern is not anti-bribery enforcement; it’s cybersecurity. More specifically, your company needs to get a stronger grip on its vendor risk management, because bringing new vendors into your extended enterprise—and all their attendant risks—has never been easier.
Now, does good vendor risk management trace its roots back to fears of FCPA enforcement? Of course. It also helps with human trafficking, business continuity, money laundering, and other risks. But let’s not kid ourselves: these days the board is freaked about cybersecurity, lest a thief from overseas steal every customer record and ruin your firm’s reputation in the process.
That risk exists irrespective of what Rosenstein or another other Justice Department official might do about enforcement policy. It’s not a legal department issue at all. It’s an issue of assessing a risk to the organization, and ensuring all relevant parties take proper steps to prevent the risk from striking. That’s what the compliance function does. It ensures people follow policy.
Or take disclosure of climate change risk: something the Justice Department will probably never address because that’s not its purview, although the Securities and Exchange Commission might. Let’s assume that for whatever reason, the SEC and other branches of the Trump Administration ignore requirements for climate change disclosure.
Again, on a practical basis—how much difference will that make? The other week I had lunch with the chief compliance officer of an asset management fund with roughly $100 billion under management. This firm’s investors (union pension funds, mutual funds) inquire about the fund’s approach to risk management all the time, including issues such as climate change, human trafficking, and cybersecurity.
“I’ve been visited by the SEC twice in seven years,” this CCO told me. “I get called by our investors multiple times every year. They don’t need the exposure to the risks—the bad headlines and whatnot—any more than we do.”
That dynamic isn’t going to fade any time soon. Corporate ethics and compliance continues to evolve toward a world of governing risks, of all stripes.
So we can wait to see what Rosenstein proposes for simplifying enforcement policy, holding individuals more accountable, and not threatening corporations with large monetary penalties. His changes might even be welcome news.
But they won’t make the business world any less risky, and compliance functions will still have an enormous amount to do.